Realchar Unauthenticated Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Realchar version 0.0.4. The issue arises in the file upload request handling, where appending characters, such as dashes, to the end of a multipart boundary in an HTTP request causes the server to repeatedly process each character. This behavior leads to excessive resource consumption, making the service unavailable to users. The vulnerability is unauthenticated and does not require user interaction, affecting all users of the service.

Impact

Exploitation of this vulnerability causes severe resource exhaustion on the server, overwhelming its capacity and leading to a complete service outage. Although the frontend remains active, all core functionalities, including chatting, become unavailable for users.

Reproduction

To reproduce this vulnerability, send a POST request to the '/uploadfile' endpoint with a multipart/form-data content type. Include a file in the request and append a large number of characters, such as dashes, to the end of the multipart boundary. The server will process each appended character, causing significant resource consumption and disrupting service availability.